Re: [PR] Fix: Ensure JWTValidator handles GUESS algorithm with JWKS [airflow]

Sun, 08 Mar 2026 07:47:28 -0700 


Copilot commented on code in PR #63115:
URL: https://github.com/apache/airflow/pull/63115#discussion_r2901929522


##########
airflow-core/src/airflow/api_fastapi/auth/tokens.py:
##########
@@ -291,14 +291,8 @@ def __attrs_post_init__(self):
             raise ValueError("Exactly one of private_key and secret_key must 
be specified")

Review Comment:
   The `ValueError` message here says "Exactly one of private_key and 
secret_key must be specified", but `JWTValidator` takes `jwks` (not 
`private_key`). This makes the error misleading for callers and config 
troubleshooting. Suggest updating the message to reference `jwks` vs 
`secret_key` (and/or align it with the actual parameter names).
   ```suggestion
               raise ValueError("Exactly one of jwks and secret_key must be 
specified")
   ```



##########
airflow-core/src/airflow/api_fastapi/auth/tokens.py:
##########
@@ -326,13 +320,20 @@ async def avalidated_claims(
     ) -> dict[str, Any]:
         """Decode the JWT token, returning the validated claims or raising an 
exception."""
         key = await self._get_validation_key(unvalidated)
+        algorithms = self.algorithm
+        validation_key: str | jwt.PyJWK | Any = key
+        if algorithms == ["GUESS"] and isinstance(key, jwt.PyJWK):
+            header = jwt.get_unverified_header(unvalidated)
+            algorithms = [header.get("alg") or key.algorithm_name]

Review Comment:
   When `algorithm == ["GUESS"]` with JWKS, this derives the allowed algorithm 
from the *unverified* token header (`header.get("alg")`) and ignores any 
algorithm constraint that may be present on the selected JWK 
(`key.algorithm_name`). This means a token can potentially choose a different 
algorithm than what the JWKS intends for that key (and if the header 
omits/empties `alg`, `algorithms` can become `[None]`, leading to a confusing 
failure inside `jwt.decode`). Consider preferring `key.algorithm_name` when 
present, and otherwise requiring a non-empty `alg` header; if both exist and 
differ, raise a clear `InvalidAlgorithmError` (or similar) rather than silently 
trusting the header.
   ```suggestion
               header_alg = header.get("alg")
               key_alg = getattr(key, "algorithm_name", None)
               if header_alg and key_alg and header_alg != key_alg:
                   raise jwt.InvalidAlgorithmError(
                       f"Token algorithm '{header_alg}' does not match JWKS key 
algorithm '{key_alg}'."
                   )
               effective_alg = key_alg or header_alg
               if not effective_alg:
                   raise jwt.InvalidAlgorithmError(
                       "Cannot determine algorithm for token validation: "
                       "neither JWKS key nor token header specifies 'alg'."
                   )
               algorithms = [effective_alg]
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to